Petya ransomware havoc ends with the release of Petya Decryptor

Petya functions as ransomware-type[1] program which was discovered in 2016. However, it seems that its developers decided to recover it in the end of June, 2017. Alternatively known as PetrWrap, GoldenEye ransomware, Mamba virus and Mischa ransomware, Petya started similarly to WannaCry – the outbreak was spotted out of nowhere and continued spreading rapidly. Some anti-virus tools identify the threat as NotPetya and Nyetya ransomware.

The ransomware has already infected several banks, power suppliers, the companies “Rosneft”, “Maersk“, “Saint – Gobain” and other companies.[2] Ukraine software company MeDoc has been accused of releasing the virus.[3] Though the company denied such allegations, some IT experts claim to have evidence revealing that the firm was the initial source.

The latest version uses wowsmith123456@posteo.net email address to collect ransoms. It requires paying $300 in Bitcoin in exchange for recovering the connection to victims' data. Ukraine, UK, Spain, Denmark, the Netherlands, India and other countries have already approved the attack.

Petya ransomware does not encrypt victim's files one by one – this is a clear evidence showing that the virus was recently updated. Instead, it reboots the computer first and the encrypts the MFT (master file table) of the hard drive. The MBR (master boot record) stops operating what causes failure when trying to seize the needed information about files, like their names, sizes, and location.

You can still get infected with the ransomware virus after downloading a fake office document, so be sure to be careful with unknown emails. However, The Hacker News has reported that the virus DOES use same Windows SMBv1 vulnerability which was used by WannaCry infection.[4] To protect yourself, make sure you install Reimage to remove Petya with its malicious files.

UPDATE: According to IT expert Lawrence Abrams, there is a solution preventing Petya hijack – netizens should create a text file entitled as perfc and place in C:Windows folder.[5] It seems that ransomware removes itself if it detects such file on the system.

UPDATE July 2017: After a long wait, malware analysts finally release a decryptor for the Petya virus and it promises to decrypt files that have been processed by the ransomware's malicious code. The Petya Decryptor comes in two basic forms: a CD version and a Windows executable file. We should note that this tool is merely designed to extract the individual decryption key, while the data recovery can be performed using the decryption software, including Mischa and GoldenEye decrypters. More detailed instructions on how to use these tools are provided in the instruction section of our article.

Unfortunately, the decryptor is still powerless against hybrid Petya versions such as PetyaWrap or EternalPetya.

Petya turns out to be something different than ransomware

While the virtual community was looking for a quick solution or another “kill switch” to terminate the menace, IT experts have revealed peculiar details which change the attitude towards this malware. When the original version of Petya emerged, it possessed a “kill disk” feature. In other words, even it encrypted files, it did not manage the proper communication with Command and Control servers to monitor victim identification numbers.

Likewise, ExPetr/NotPetya/Petna/Petya messed with the ID process[6]. What is more, one of the email domains associated with the perpetrators was canceled. In short, due to these factors, data recovery becomes impossible as a victim computer is not assigned a specific code which would help retrieve the matching decrypter.[7]

The malware simply generates random numbers and characters instead of a specific key. In other words, IT specialists call the malware to be a data wiper, though technically, it just makes the data recovery is futile. Lastly, due to the scale of inflicted damage, experts speculate that Petya threat used a mixture of exploits: PSExec, WMI, and Eternal Blue, to target SMB and local networks.[8]. Thus, there is no point remitting the payment as affected users will not recover their data.

Petya attack chronology

Name

Petya

Category

Ransomware

Victims

M.E.Doc servers

The attack originates in Ukraine. It started spreading on 18 June (or earlier) as an update for a popular M.E.Doc accounting software package.

The National Bank of Ukraine

Later, the National Bank of Ukraine announces about the “external cyber attack.” It warns financial institutions to be extra careful with the malware attack.

Oshchadbank state bank

After one hour, Oshchadbank state bank reports about the limited functionality services for its clients because of ransomware virus.

Cabinet of Ministers of Ukraine

The members of the Ministry of Ukraine start tweeting of their computers locked by Petya ransomware.

Maersk

Next, the virus moves on and infects container transportation giant Maersk in Netherlands and Denmark. The company stops all container operations.

Rosneft

Russian oil giant Rosneft confirms attacks on the same day.

DLA Piper

DLA Piper, a global business law firm, reports about malware attack. The company takes down its servers.

Mondelez

Mondelez offices report about the ransomware attack on 27, June. The attacks disables its servers.

WPP

A popular marketing company in UK, WPP, reports about a suspected cyber attack. Clearly, it is Petya ransomware.

Unfortunately, the number of victims is still growing. Not all of them have reported about problems related to Petya. However, it is believed that there are several thousands companies infected with this ransomware.

The principle of functionality

As we have mentioned, unlike the other ransomware programs, this malware immediately restarts the computer. When it boots it again, a message shows up on the screen saying:

DO NOT TURN OFF YOUR PC! IF YOU ABORT THIS PROCESS, YOU COULD DESTROY ALL OF YOUR DATA! PLEASE ENSURE THAT YOUR POWER CABLE IS PLUGGED IN!

Even though it may look like a system error, in fact, at a given moment, Petya virus is silently carrying out file encryption in the system’s background. If the user tries to reboot the system or the file encryption is executed, a flashing red skeleton appears on the screen along with the text “PRESS ANY KEY!”. After pressing the key, a new window with a ransom note appears.

In the beginning of its functionality, the victim was typically asked to pay 0,9 BitCoin which equals around $400. However, now it requires $300 in Bitcoin. Therefore, different companies, which have numerous of computers, can be required a different amount of the ransom.

Petya ransomware encrypts files with a very complex RSA-4096 and AES-256 [9] algorithms, even used for military purposes. Such code is impossible to decrypt without a private key. Of course, typically to other ransomware programs like Locky virus, CryptoWall virus, and CryptoLocker, this private key is stored on some remote server, which can only accessed by paying a ransom to the virus creators.

Additional activity after Petya ransomware attack

Once this virus is in the system, it will try to overwrite the Windows boot files or the so-called master boot record [10], required to load your operating system. You will not be able to remove Petya virus from your computer unless you restore your MBR settings.

Even if you manage to fix these settings and to delete the virus from your system, unfortunately, your files will remain locked because virus removal does not decrypt the encrypted documents but merely deletes the infectious files. Of, course, this procedure is essential if you want to continue using your computer. We advise using sophisticated and reputable antivirus tools like Reimage to take care of the Petya removal.

Security experts have just announced about the ransomware decryption key, which can help you decrypt your files with the special algorithm. To get a change to use this algorithm, you need to visit this website. However, the decryption of your files shouldn't be the only headache of yours.

You should also make sure that you remove Petya ransomware from your computer before it starts the second encryption of your files. If you find any trouble while performing removal, check the detailed guide on the second page of this post.

Ransomware viruses related to Petya

This ransomware has been growing ever since it hit the Internet in 2016 – the developers of Petya have already released these supplementary ransomware versions:

Mischa ransomware was spotted in May 2016. It is known to be a part of Janus Cybercrime Solutions campaign[11] which allows wannabe hackers to join the affiliate network of Petya. However, to become one of its distributors, you need to pay a registration fee.

Depending on the volume of the ransom payment, the users can earn up to 85% of the revenue share for spreading the virus around the Internet. If you even consider becoming an affiliate of such a nasty company, keep in mind that its creators hold nothing sacred and can easily take advantage of you as well, so be very careful.

Petrwrap ransomware does not belong to Janus Cybercrime Solutions campaign which is considered as an affiliate network of the ransomware. It is a separate virus which is based on the altered Petya’s ECDH algorithm letting its developers to generate private and public keys outside the RaaS system.

The malware has been using a vulnerable RDP network and the PsExec tool to infiltrate target PC systems and launch the virus. Nevertheless, it is also possible to get the malware after downloading an infected email attachment.

GoldenEye ransomware virus is very similar to Petya. To show the victim his or hers loss, it appends specific file extensions to the target files. The virus also bypasses User Account Control (UAC) to implement low-level attack and drop Petya ransomware on the system. If the UAC is set to the maximum, the victim is asked to allow the malicious program make changes on the computer repeatedly. The “Yes” will execute the malware.

Mamba ransomware itself is extremely dangerous and may infect practically any PC, but its primary targets are the computers of German companies. This malicious program enters the victims’ computers stealthily and carries out its malicious activities without the computer owner even suspecting the computer might be under threat.

In this version, hackers finally managed to apply a Salsa20 encryption algorithm eliminating the previous vulnerabilities of the Petya. Otherwise, the virus functions similarly to its previous version, spreading in a form of a corrupted PDF file. The virus developers have been mainly using spam emails and fake software updates to spread the threat.

How can this malware infect your PC and can you prevent the intrusion?

Petya virus is usually distributed through spam emails, which contain a Dropbox download link to a file called “application folder-gepackt.exe” attached to them. The virus activates when the mentioned file is downloaded and opened. However, the latest version of this virus uses the CVE-2017-0199 Office RTF vulnerability to infiltrate computer.

As you already know how this virus spreads you might already have an idea how to protect your computer from this virus attack. Of course, you need to be careful about opening emails which are received from suspicious and unknown sources, feature supposedly relevant information which does not relate to your expected correspondence[12].

You should also be sure to download MS17-010 and other Microsoft patches to fix SMB vulnerability. It is believed to be one of ransomware sources at the moment. Finally, make sure you equip your system with reputable antivirus software and keep it up to date.

To protect your files from being encrypted, it is always recommended to backup them from time to time. In this case, yyou should make sure that your important pieces of data are stored in three physical places, such as the cloud, some external drive, etc.

Petya removal and system recovery after the attack:

As we already mentioned, uninstalling Petya ransomware from your computer is essential for the safety of your future files. Also, restoring data from external drives can only be carried out when the virus and all its related parts are fully eliminated from the PC. Otherwise, Petya may infiltrate and lock the files in these external platforms as well.

You cannot remove it from your computer through the simple uninstall procedure because such option is not feasible with this malicious program. This means that you will have to delete the virus automatically. Automatic Petya removal should be carried out using some trusted antivirus software, which will detect and delete this virus from your computer.

If you are encountering some troubles removing this virus automatically or it blocks your antivirus from running, you can always check our detailed virus removal instructions provided at the end of this article.

We might be affiliated with any product we recommend on the site. Full disclosure in our Agreement of Use. By Downloading any provided Anti-spyware software to remove Petya virus you agree to our privacy policy and agreement of use.

Reimage is recommended to uninstall Petya virus. Free scanner allows you to check whether your PC is infected or not. If you need to remove malware, you have to purchase the licensed version of Reimage malware removal tool.

Remove Petya using Safe Mode with Networking

To remove Petya from Windows with the help of Safe Mode, keep in mind that this is a complex cyber infection. Don't expect it to give up your computer easily. To help you launch your anti-virus easier, use the following instructions:

Step 1: Reboot your computer to Safe Mode with Networking

Windows 7 / Vista / XP

Click Start→Shutdown→Restart→OK.

When your computer becomes active, start pressing F8 multiple times until you see the Advanced Boot Options window.

Select Safe Mode with Networking from the list

Windows 10 / Windows 8

Press the Power button at the Windows login screen. Now press and hold Shift, which is on your keyboard, and click Restart..

Log in to your infected account and start the browser. Download Reimage or other legitimate anti-spyware program. Update it before a full system scan and remove malicious files that belong to your ransomware and complete Petya removal.

If your ransomware is blocking Safe Mode with Networking, try further method.

Remove Petya using System Restore

To get rid of the malware with the help of System Restore, use the following steps. Keep in mind that it is one of the nastiest features of most ransomware which will try to prevent its removal from the infected device.

Step 1: Reboot your computer to Safe Mode with Command Prompt

Windows 7 / Vista / XP

Click Start→Shutdown→Restart→OK.

When your computer becomes active, start pressing F8 multiple times until you see the Advanced Boot Options window.

Select Command Prompt from the list

Windows 10 / Windows 8

Press the Power button at the Windows login screen. Now press and hold Shift, which is on your keyboard, and click Restart..

What is the use of Data Recovery Pro?

Data Recover Pro is probably the quickest solution to data decryption. It does not require any extra preparation or skill and is relatively effective when it comes to the file recovery process. Here is how to use it:

Follow the steps of Data Recovery Setup and install the program on your computer;

Launch it and scan your computer for files encrypted by Petya ransomware;

Restore them.

Rescue your important files with Windows Previous Versions feature

Windows Previous Versions is one of the data recovery options Windows operating system offers as an in-built feature. Keep in mind that this recovery technique only works when the System Restore function is enabled. Do not hesitate to give it a try:

Find an encrypted file you need to restore and right-click on it;

Select “Properties” and go to “Previous versions” tab;

Here, check each of available copies of the file in “Folder versions”. You should select the version you want to recover and click “Restore”.

ShadowExplorer to help decrypt files encrypted by Petya

Unfortunately, Petya ransomware deletes Volume Shadow Copies of the files it encrypts so it is impossible to use ShadowExplorer for their recovery.

Follow a Shadow Explorer Setup Wizard and install this application on your computer;

Launch the program and go through the drop down menu on the top left corner to select the disk of your encrypted data. Check what folders are there;

Right-click on the folder you want to restore and select “Export”. You can also select where you want it to be stored.

Petya decrypter for Mischa and Goldeneye versions now available

If files on your device have been encrypted by Goldeneye or Mischa versions, the first thing you should do is download the personal key extraction software and generate the decryption key. To make this work, follow this process:

1. Find out what your Victim ID is. It may be included in the ransom note or you may find it attached at the end of every encrypted document.

2. Copy the ID in a .txt file and then run the previously downloaded tool to generate the key.

3. Save the extracted key

When you are done with the key extraction, you can then proceed to the next data recovery step:

5. Select file you want to decrypt (we recommend making a copy of the files you want to decrypt in order to avoid decryption errors and the potential loss of data).

6. Submit the saved recovery key in the areas provided and click “Decrypt”.

7. If the outcome of the decryption is successful, continue the decryption of the rest of your computer files by supplying the decryptor with the extensions the virus has appended to the encrypted files.